On Some Key Problems Of Mobile Payment System Security

With rapid increasing of the mobile customers and continual improvement of the mobile technology, mobile commerce gets fast development and is faced with unprecedented development opportunities. However, micro-payment transaction is the major transaction in mobile commerce, and the turnover of the mobile commerce also forms a little share in that of the electronic commerce. The restrictive factors of the mobile commerce development are complicated. From the present mobile commerce system platform perspective, the width of the wireless network, the computing capability of mobile device, and the security of mobile payment system are the urgent problems to be solved. With the research on improving the mobile payment system security, the thesis aims at improving the performance of mobile commerce system and promoting the implementation of mobile commerce which has important theoretical and practical significance.Based on the review of the research status of mobile payment system, the thesis finds some main problems of the mobile payment system security, for example, there are some hiding dangers existing in the present mobile payment system frameworks; no formal analysis approach can be used to ensure effectiveness of security analysis for all payment protocols, and many approaches cannot be used to analyze the accountability and fairness of the payment protocol; fairness is an important security requirement for mobile commerce transaction, however, many payment protocols cannot satisfy the fairness requirement and the practicability at the same time. For solving the above problems, the research is carried out from the following four aspects, including mobile payment model, the mobile payment system framework, the payment protocol analysis and fair payment protocol design.In the aspect of the mobile payment system model, the component elements and the basic properties are analyzed firstly. Then the general model of the mobile payment system is defined, in which the mobile payment system infrastructure is involved in the operational semantic, and some properties, such as security, system goals, and transaction performance, are involved in the properties. In order to evaluate the security and the feasibility of implementation of the mobile payment system, the operational rules and the performance evaluation methods are presented. At last, the description methods to the operational semantic of the mobile payment system model based on Petri nets are introduced.Aiming at the hiding dangers in the proxy-based mobile payment system framework and agent-based mobile payment system framework, the thesis proposes an improved framework based on threshold proxy mechanism which integrates the advantages of both the proxy-based framework and the agent-based framework. In the improved framework, the clients partially trust the proxy server, and there must be more than t agents work together to carry out the payment transaction in the merchant server, the difficulty of hostile merchant attacking the mobile agent to eavesdrop or tamper the secret information is increased for the hostile merchant should attack all the t agents, so the hiding dangers in the above two frameworks can be avoided. And a threshold proxy signature scheme based on elliptic curves is proposed to satisfy the secure requirements in the improved framework, security analysis and performance analysis can prove the scheme is suitable for the proposed framework.Aiming at the formal analysis of the accountability and fairness in the payment protocol, the thesis proposes a formal analysis approach based on CPN (Coloured Petri Nets). The approach can not only analyze confidentiality, integrity, authentication, accountability of the payment protocol, and with the characteristic that the time element can be added to the CPN model, the proposed approach can also be used to analyze fairness effectively. Using the proposed approach to analyze KSL protocol, we find that KSL protocol does not satisfy the accountability and fairness requirement. The proposed approach detects the leak in the protocol that cannot be detected by other formal analysis approaches. The result shows the effectiveness of the proposed approach.Aiming at the problem that fairness requirement and practicability of the payment protocol, the thesis proposes a new mobile payment protocol based on identity-based concurrent signcryption scheme. By using identity-based signcryption and perfect concurrent signature as reference, a new notion of identity-based concurrent signcryption is proposed, the formal definition of concurrent signcryption and the security model is introduced. The identity-based concurrent signcryption can ensure the fairness between the entities, and also satisfy the confidentiality and authentication requirements. An identity-based concurrent signcryption scheme using bilinear pairings is proposed. The proposed scheme is proved to be secure in random oracle model, assuming the bilinear Diffie-Hellman problem and computational Co-Diffie-Hellman problem are hard. Based on the proposed identity-based concurrent signcryption scheme, a mobile payment protocol is designed, the analyzing result shows it is secure.